Release 2.5.2

Fixes:

- Allow unknown properties in `credProps` client extension output.

Author: emlun

.github/workflows/release-verify-signatures.yml

@@ -39,7 +39,7 @@ jobs:
 
     strategy:
       matrix:
-        java: ["17.0.7"]
+        java: ["17.0.10"]
         distribution: [temurin, zulu, microsoft]
 
     steps:

NEWS

@@ -1,3 +1,10 @@
+== Version 2.5.2 ==
+
+Fixes:
+
+* Allow unknown properties in `credProps` client extension output.
+
+
 == Version 2.5.1 ==
 
 Changes:

README

@@ -4,7 +4,15 @@
 import java.util.Set;
 
 public interface ExtensionOutputs {
-  /** Returns a {@link Set} of the extension IDs for which an extension output is present. */
+  /**
+   * Returns a {@link Set} of recognized extension IDs for which an extension output is present.
+   *
+   * <p>This only includes extension identifiers recognized by the java-webauthn-server library.
+   * Recognized extensions can be found as the properties of {@link
+   * ClientRegistrationExtensionOutputs} for registration ceremonies, and {@link
+   * ClientAssertionExtensionOutputs} for authentication ceremonies. Unknown extension identifiers
+   * are silently ignored.
+   */
   @JsonIgnore
   Set<String> getExtensionIds();
 }

webauthn-server-core/src/main/java/com/yubico/webauthn/data/ExtensionOutputs.java

@@ -1,6 +1,7 @@
 package com.yubico.webauthn.data;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonValue;
 import com.upokecenter.cbor.CBORObject;
@@ -63,6 +64,7 @@ public static class CredentialProperties {
      *     Credential Properties Extension (credProps)</a>
      */
     @Value
+    @JsonIgnoreProperties(ignoreUnknown = true)
     public static class CredentialPropertiesOutput {
       @JsonProperty("rk")
       private final Boolean rk;

webauthn-server-core/src/main/java/com/yubico/webauthn/data/Extensions.java

@@ -258,12 +258,21 @@ class RelyingPartyRegistrationSpec
                 },
                 "clientExtensionResults": {
                   "appidExclude": true,
-                  "org.example.foo": "bar"
+                  "org.example.foo": "bar",
+                  "credProps": {
+                    "rk": false,
+                    "authenticatorDisplayName": "My passkey",
+                    "unknownProperty": ["unknown-value"]
+                  }
                 }
               }""")
             pkc.getClientExtensionResults.getExtensionIds should contain(
               "appidExclude"
             )
+            pkc.getClientExtensionResults.getExtensionIds should contain(
+              "credProps"
+            )
+            pkc.getClientExtensionResults.getExtensionIds should not contain ("org.example.foo")
           }
         }
 

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala

@@ -44,7 +44,7 @@ layer.
 This layer manages the general architecture of the system, and is where most
 business logic and integration code would go. The demo server implements the
 "persistent" storage of users and credential registrations - the
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/CredentialRepository.html[`CredentialRepository`]
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.2/com/yubico/webauthn/CredentialRepository.html[`CredentialRepository`]
 integration point - as the
 link:src/main/java/demo/webauthn/InMemoryRegistrationStorage.java[`InMemoryRegistrationStorage`]
 class, which simply keeps them stored in memory for a limited time. The
@@ -58,7 +58,7 @@ would be specific to a particular Relying Party (RP) would go in this layer.
 - The server layer in turn calls the *library layer*, which is where the
   link:../webauthn-server-core/[`webauthn-server-core`]
   library gets involved. The entry point into the library is the
-  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
+  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.2/com/yubico/webauthn/RelyingParty.html[`RelyingParty`]
   class.
 +
 This layer implements the Web Authentication
@@ -69,11 +69,11 @@ and exposes integration points for storage of challenges and credentials. Some
 notable integration points are:
 +
 ** The library user must provide an implementation of the
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/CredentialRepository.html[`CredentialRepository`]
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.2/com/yubico/webauthn/CredentialRepository.html[`CredentialRepository`]
 interface to use for looking up stored public keys, user handles and signature
 counters.
 ** The library user can optionally provide an instance of the
-link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.1/com/yubico/webauthn/attestation/AttestationTrustSource.html[`AttestationTrustSource`]
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.2/com/yubico/webauthn/attestation/AttestationTrustSource.html[`AttestationTrustSource`]
 interface to enable identification and validation of authenticator models. This
 instance is then used to look up trusted attestation root certificates. The
 link:../webauthn-server-attestation/[`webauthn-server-attestation`]
@@ -158,7 +158,7 @@ correct environment.
     Authentication demo'`
 
   - `YUBICO_WEBAUTHN_USE_FIDO_MDS`: If set to `true` (case-insensitive), use
-    https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.1/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
+    https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-attestation/2.5.2/com/yubico/fido/metadata/FidoMetadataService.html[`FidoMetadataService`]
     from the link:../webauthn-server-attestation[`webauthn-server-attestation`]
     module as a source of attestation data in addition to the static JSON file
     bundled with the demo. This will write cache files to the